我有一个 DC(Debian),它似乎运行良好。我可以加入域,但当我加入 Fedora 成员时,它会加入,但 DNS 未注册。我必须手动将记录添加到 dc。Debian 成员加入得很好。我还可以使用桌面 GUI 通过 ssh 登录 Debian 成员。我无法使用 Fedora 成员执行任何操作。只有本地用户可以登录(ssh/gui)。
/var/log/audit/audit.log
type=CRYPTO_SESSION msg=audit(1636214847.520:2087): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=start direction=from-server [email protected] ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=32862 suid=74 rport=34444 laddr=10.0.0.17 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.0.0.16 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRYPTO_SESSION msg=audit(1636214847.522:2088): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=start direction=from-client [email protected] ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=32862 suid=74 rport=34444 laddr=10.0.0.17 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.0.0.16 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=USER_AUTH msg=audit(1636214851.295:2089): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=? acct="test" exe="/usr/sbin/sshd" hostname=10.0.0.16 addr=10.0.0.16 terminal=ssh res=failed'UID="root" AUID="unset"
type=CRYPTO_KEY_USER msg=audit(1636214857.117:2090): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=destroy kind=session fp=? direction=both spid=32862 suid=74 rport=34444 laddr=10.0.0.17 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.0.0.16 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRYPTO_KEY_USER msg=audit(1636214857.117:2091): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=destroy kind=server fp=SHA256:3f:a3:9d:94:52:57:d5:43:b1:ed:67:07:77:62:db:05:80:10:1b:b0:57:ab:77:56:88:b8:2a:f2:ef:3e:d3:73 direction=? spid=32862 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRYPTO_KEY_USER msg=audit(1636214857.122:2092): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=destroy kind=server fp=SHA256:3f:a3:9d:94:52:57:d5:43:b1:ed:67:07:77:62:db:05:80:10:1b:b0:57:ab:77:56:88:b8:2a:f2:ef:3e:d3:73 direction=? spid=32861 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" SUID="root"
type=USER_LOGIN msg=audit(1636214857.122:2093): pid=32861 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=10.0.0.16 terminal=ssh res=failed'UID="root" AUID="unset"
/etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
PasswordAuthentication yes
AllowGroups "domain users"
sshd 配置文件
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_krb5.so minimum_uid=1000
session optional pam_winbind.so
session optional pam_sss.so
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin